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BACKGROUND OF THE INVENTION 

5 

Field of the Invention 

This invention relates generally to cryptography and to secure distributed 
computation, and more particularly it relates to computerized auctions conducted 
10 using PCs and/or servers over a network, such as. the Internet. 



Description Of The Prior Art 



An exciting topic of cryptographic research is secure function evaluation [see 
15 e.g. REFERENCES 3, 7. the citations for which are given in detail at the end of the 

specification]. For any function F(x.sub.1, x.sub.2 x.sub.n). it is possible, in 

principle, to construct a protocol that allows a group of n parties, where party i has as 
its private input x.sub.i, to jointly evaluate F(x.sub.1, x.sub.2.... ,x.sub.n). Following 

the protocol the parties learn F(x.sub.1. x.sub.2 x.sub.n) but no party i can leam 

20 about the inputs other than x.sub.i more than can be computed from x.sub.i and 
F(x.sub.1, x.sub.2, x.sub.n). The drawback of these protocols is that they are 
rather complex and require a lot of interaction between each of the parties. In the 
case of auctions this would require high interaction between the bidders, who have 
no motivation to interact with each other. The present invention, as will be described 
25 in greater detail in the following, provides a much simpler method in which all the 
parties communicate with just a single center. In the inventive method described 
hereinafter, the input of each of the parties becomes known to this center but 
otherwise, it is not known to any other party. The inventive method enables the 
center to prove that it preformed the computation correctly. 

30 

In the case of auctions, it is normally the case that the auctioneer is trusted by 
all parties to compute the result of the auction correctly. This might not be justified, 
since the auctioneer might benefit from an illegal modification of the result of the 
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auction. (This is everHrue if the auctioneer is just a mediator that is selling items 
which are offered by third parties, since such auctioneers usually charge a 
commission which depends on the price with which the items are sold). It is 
sometimes the case that a trusted party (say an accountant) observes the operation 
5 of the auctioneer and testifies that it is trustworthy. However this party might be 
corrupted and cooperate with a corrupted auctioneer, it might also be the case that 
the trusted party cannot watch the auctioneer closely enough and the auctioneer can 
cheat without being detected. These problems are amplified in a computerized 
Internet setting. 



The center that computes F can of course prove that it computed it correctly 
by publishing all the inputs. However this solution affects the privacy of the other 
parties, since their inputs become public. The inventive method overcomes this 
problem since it enables the center to prove that it computed F correctly without 
15 leaking any information about the inputs. 

There are suggestions in the art for distributing the operation of an auctioneer 
between many servers in a way which is secure as long as not too many of these 
servers operate maliciously. Franklin and Reiter [see REFERENCE 2] developed a 

20 distributed system for sealed-bid auctions with many auctioneer servers, which 

ensures the privacy of the bids until the time they are opened. This system further 
enables the bids to be backed by escrowing financial commitments of the bidders. 
Harakavy. Tygar, and Kikuchi [see REFERENCE 4] present systems for secure first 
price and second price sealed bid auctions, which preserve the privacy of the bids 

25 even after the winning bid is chosen (this variant was also briefly mentioned in 

REFERENCE 2). Both systems distribute the operation of the auctioneer between 
several servers and privacy is guaranteed as long as not too many of the servers 
collude (most of the protocols require that less than a third of the servers collude, 
and therefore, need a minimum of four servers). However, if enough auctioneer 

30 servers collude they are able to maliciously change the outcome of the auction and 
would not be detected. The requirement that auctioneer servers would not collude 
seems very hard to enforce since all these servers operate for the auctioneer which 
might have a motivation to cheat and increase its profits. Compared to these prior 
art solutions, the inventive method does not require to distributing the operation of 
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the auctioneer amon^everal non-colluding servers, and provides security even if 
the auctioneer is attempting to cheat. 

Naor and Pinkas [see REFERENCE 6] present a different method that 
5 prevents even the center from learning information about the parties* inputs. That 
method requires the operation of an additional party - the Issuer. The Issuer 
generates a program that computes the function (or the auction) and sends it to the 
center. The center receives messages from the parties, which contain some 
information that is intended for the Issuer. After the center receives messages from 
10 all the parties it sends a message to the Issuer and receives a response which 

enables it to use the program to compute the output of F for the parties' inputs. The 
method ensures that neither the center nor the Issuer learn information about the 
inputs of the parties. In this sense it provides better privacy than the inventive 
method described herein. However, the inventive method presented here does not 
15 require the cooperation of any additional party (like the Issuer) for the computation of 
F. It enables the center to compute the function by itself and prove that it computed it 
correctly, and in this respect is an advantage. 



Consider a scenario with N parties, each having a private input, and a single 
center. There is a function F with N inputs whose output should be computed. 
Each party sends its input to the center. The present invention is a method, system 
and apparatus that enables the center to compute and publish the output of F and to 
25 prove to all parties that it computed F correctly. This is done without revealing the 
value of the input of a party to any other party. 

More specifically, the parties can be bidders in an auction, their inputs are 
their bids, the center is the auctioneer, and the program F expresses the rule by 
30 which the outcome of the auction is decided. The invention requires the auctioneer to 
prove that it computed the result of the auction correctly. 

The invention provides the same security as in the following scenario: 
Assume that there is a reliable party (say an accountant or a lawyer) which is trusted 
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by all other parties. This party observes the operation of the center, i.e. it examines 
the inputs that the center receives, verifies that the center computes the correct 
output, and testifies that this is the case. The invention provides the same security as 
is provided with this trusted party, but without using any such party. This ensures 
5 better security (since trusted parties might breach the trust they are given), and is 
more efficient (since it does not require an additional party). 

Other and further advantages and objects of the present invention will 
become readily apparent when considering the following detailed description of the 
10 present invention when taken together with the appended drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram illustrating the different entities engaged in a 
computerized auction. 

Figure 2 is a schematic diagram illustrating the steps of the method of the 
present invention where the steps are indicated by numerals in parentheses. 

Figure 3 is a high level descriptive flow chart of the present invention as 
generally depicted in the diagrams of Figures 1 and 2. 

Figures 4A and 4B are a flow chart showing the steps of the implementation 
of the preferred embodiment of the present invention. 

Figure 5 is a flow chart of a secure two-party function evaluation protocol as 
implemented by the present invention. 

Figure 6 is a schematic diagram of a gate used in the protocol depicted in 
Figure 5, and also shows the pseudo-random function used to prepare Table Tg used 
in the protocol of depicted in Figure 5. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

As initially noted, the apparatus and method of the present invention 
30 comprises an auction service that is used in a network, such as, the Internet, and 
uses clients and/or servers. The invention utilizes cryptography and secure 
distributed computation via computers to effect a computerized auction. However, 
the invention is not limited to computerized auctions, but has broader application. 
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Many such applications involve a group of participants, denoted herein as "Parties", 
each of whom has an input to the group as a whole, where the group as a whole is 
required to compute and output a certain function of these inputs. The term 
"function" herein denotes, in the usual sense, any mathematical or logical mapping 
5 from one set of input entities to an output entity or set of entities. In certain cases, 
the inputs may involve sensitive information, such that it would also be required that 
this computation does not reveal any information about the inputs, except for 
whatever might be computed from the final output. Such inputs are herein denoted 
as "private inputs". If, in addition to the parties, there were furthermore a trustworthy 
10 participant, denoted herein as a "center" and which is trusted by all the parties, then 
each party could simply send the respective private input to this center, which would 
then compute the function and publish, or output, the value of the computed function. 
(The center is a participant in the protocol and is involved in the computation of the 
function. It may or may not have a private input, and may or may not be within the 
15 group of parties.) The parties, however, might not trust each other, and might not 
trust any single center. 

Although a particular case of interest is that of auctions, for example, 
sealed-bid second-price auctions, commonly known in the art as "Vickrey auctions", 

20 other applicable activities include mechanism design, which deals with the 

design of protocols for selfish parties. The goal of a protocol is to aggregate the 
preferences of the parties in order to decide on some social choice (for example, to 
decide whether a community should build a bridge, or how to route packets in a 
network, or to decide who wins an auction). Each party has a utility function which 

25 expresses how much that party values each possible outcome of the protocol (the 
bid in an auction, for example, is such a utility function). Each party sends 
information about its utility function to a center, which decides on the outcome of the 
protocol based on the reports from the parties, according to a specified function of 
the utility functions (for example, in a sealed-bid auction, the specified function that 

30 determines the winner is the maximum of the bids). The creation of algorithms by 
mechanism design is known in the art. to solve a global problem among a number of 
selfish agents (e.g. routing, or some cooperation between the agents). The present 
invention can be used to compute these algorithms without requiring trust in the 
center. The plausibility of using the present invention for such a task depends on the 
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10 



complexity of expressing the utility functions and decision procedure in terms of 
circuits. 

A particular case of interest is the Groves-Clarke mechanism, where the 
public good is served if the sum of reported values is higher than some threshold. 
The circuit which computes this function is very simple, as is the circuit which 
computes the sum of the reported values for several options, and decides on the 
option with the highest sum. It is therefore very easy to use the present invention to 
provide a private protocol which computes a Groves-Clarke mechanism. 



Opinion polling is another relevant application. The design of mechanisms to 
elicit opinions of a group of independent experts. The application enables parties to 
contribute their opinion to a decision making without being worried that their opinion 
would be revealed. It is known in the art that where experts want their 

15 recommendation to be accepted, that there exists a mechanism with a single 

equilibrium which achieves the public target (but such a mechanism does not exist if 
experts care only about the public good). Such a mechanism can be implemented 
very efficiently by the present invention. This essentially requires that one expert 
chooses a subset of the experts whose opinions are considered, learns their 

20 opinions, and then adds his opinion. The group decision is the majority opinion. 



Another application is for polling the opinions of a group of people, while 
hiding the individual opinions of the participants. Consider for example an opinion 
poll (such as the Gallup Poll) which contains many questions. Suppose that the poll 

25 is anonymous, and the organizer obtains lists of answers, one list for each 

participant. In order to prove that it computed the result correctly, the organizer must 
publish the lists of answers. Suppose also that only a single participant answered 
affirmatively to a certain question, and that it is possible to guess with very high 
probability who this participant is. Then, although the answers are anonymous, it is 

30 possible to leam the answers of this participant to all the questions. The present 
invention enables the sending of questions to the group members, and the 
processing of their answers to obtain commutative outputs without revealing any 
information about individual answers. Additional applications of the present 
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invention include multiple-question opinion polls, sociometric research, and voting 
and elections. 



Stable matching is yet another example of a global decision which depends 
5 on the private preferences of many parties. In many scenarios it is plausible that 
parties would be hesitant to reveal their matching preferences, even to the center 
that computes the matching (consider, for example, matching couples for a prom). 
The present invention enables the parties to reveal their true preferences without 
being afraid that the center can leam them. As with other applications, the overhead 
10 of implementing the present invention for this application depends on the complexity 
of expressing the matching algorithm as a combinatorial circuit. 

Referring now to the drawing, the different entities are depicted in Figure 1. 
As shown, the entitles include The parties 320 and the Center 321. Each of the 
parties 320 has an input to the function F. In the case of auctions some of the parties 

15 might wish to sell items, and the rest of the parties are interested in buying these 
items. In addition to the parties 320, there is a center 321. The center 321 runs the 
show: it advertises the fact that F is computed, receives the inputs, and performs 
the computation. In the case of auctions, the center is the auctioneer. It 
publishes the auction, receives the bids from the bidders, and computes the 

20 outcome of the auction. The auctioneer might be a party which merely 

organizes the auction. It is also possible that it is one of the bidders or one of the 
sellers (for example he is selling an item which all other bidders are interested in 
buying). 



25 The Steps in a high level description of a preferred embodiment are illustrated 

in Figure 2. The high level description of the illustrated preferred embodiment of the 
method involves the following sequence of steps of the protocol. The Steps include 
the following sequence. (1) The center announces the computation and commits to 
the circuits. (2) Party 1 sends a commitment to its input (Party 1 represents a generic 

30 party, and this operation is performed by each of the participating parties). (3) The 
center publishes the commitments. (4) Party 1 opens its commitment, and the center 
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verifies it. (5) Tlie center computes the function. (6) The center publishes a 
proof that the computation was correct, and Party 1 verifies it. 

The Steps of the method of the present invention are elaborated in more 
5 detail in the following, with reference to Figure 3. As shown, there are a number of 
bidders 320 and a single center 321. The center announces Step 301 that it will 
compute the function F. (In the case of an auction the auctioneer announces the 
existence of the auction and publishes its rules). The center publishes in Step 302 
commitments to K combinatorial circuits 322 that compute F (where K is a security 
10 parameter). 



Party B.sub.i, which wishes to participate in computing the function F, sends a 
message to the center. They might exchange several rounds of communication, Step 
303, at the end of which the center has a commitment c.sub.i to the value of B.sub.i's 
15 input X. sub. i. 



The center publishes in Step 304 the commitments it received from the 
parties. (In the case of auctions this can be done at the end of the bidding 
period), 

20 

In Step 305 the bidders choose part of the K circuits that the center 
committed to, from block 323, and ask the center to open them. They verify in Step 
306 that the circuits compute the function F. In Step 307 each party B.sub.i sends to 
the center the value x.sub.i to which it committed with c.sub.i. The center verifies 
25 that x.sub.i corresponds to c.sub.i, that is it verifies that A(x.sub.i,c.sub.i)=1 . 



The center now computes in Step 308 the value of the circuit that computes F 
for the inputs x.sub.i it received. Next, the procedure for verifying the computation 
takes place. The center computes and publishes a proof in Step 309 that it computed 
30 the value of F correctly. Each party can use the published commitments to verify in 
Step 310 that the proof is correct. 



A considerable improvement to the protocol can be achieved by noting that 
the function that is computed by the circuit need not be the function F that the center 
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computes, and whose computation should be verified. The circuit can compute a 
function F' that verifies that F was computed correctly. For example, if F is a function 
that computes the value and the index of the maximum of N inputs, X(1),...,X(N), F' 
is the following function: It has N+2 inputs comprised of the N inputs to F and the 
5 outputs (j.Y) of F. F' outputs 1 if and only if XG)=Y, and X(j)>==X(i) for every i different 
from j. The circuit that computes this function is substantially more efficient that the 
circuit computing F. 



There now is elaborated a detailed description of the preferred embodiment . 

10 The inventive method employs cryptographic tools that enable a secure two-party 
function evaluation. The particular secure two-party function evaluation protocol used 
in the present invention is based on the method disclosed in REFERENCE 7. In the 
invention, the protocol is run between two participants, A and S. The input of A is a 
value X and the input of B is a description of a function f At the end of the protocol, 

15 A learns f{x) (but no other information about f), and B learns nothing about x. Thus, 
the input x is a private input of A, and the function f is a private input of S. 



The protocol is based on expressing fas a combinatorial circuit of gates 
which are over some fixed base (e.g. all the functions g: 0,1 fimes 0.1 to 0,1). The 
20 bits of the input are entered into input wires and are propagated through the gates. 

This procedure encrypts a circuit by generafing a pseudo-random isomorphic 
transformation of the circuit. This encryption is herein referred to as a "garbling" of 
the circuit. The cyphertext of a circuit so encrypted by this procedure is herein 
25 denoted as a "garbled" circuit. This process is detailed below, with reference to 
Figure 5. 

As shown in Figure 5. Inputs 502 include: A: a value x, in an input 502-A, and 

B: a description of a combinatorial circuit which computes f, in an input 502-B. The 
outputs of the flowchart shown in Figure 5 are Outputs 536 that include: A: f{x), in an 
30 output 536-A, and B: nothing, in an output 536-B. 
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The protocol starts with Initialization. In step 504, B devises a circuit 506 
made of logic gates, such that circuit 506 computes f. The design of logic circuits 
made of gates that compute functions is well-known in the art. 

Next, the circuit is encrypted. In step 508, B assigns to each wire / of circuit 
5 506 two random values (Wf 510 corresponding to 0 and 1 values of wire /. The 
random values should be long enough to be used as keys (for example, 80 bits 
long). The value of wire / is denoted by /),. In step 512, B also assigns to wire / a 
random permutation tc 514 over 0,1 . Uf^: b, -> c,. 

10 In step 516, S uses a pseudo-random function R 518 to prepare a table Tg 

522 (or a set of tables, also denoted herein by Tg) which enables computation of the 
garbled output of each gate g 520, {Wfif<^ Ck), from the values {Wfi', c,), (Wfij, cj), the 
garbled inputs to gate g. Table Tg does not disclose any information about the output 
of gate g for inputs other than the pair (£>,, by), nor discloses the values of the bits 6„ 

15 bj,oxbk. 

In step 524, B prepares an output translation table To 526 which decrypts the 
garbled output bits of the circuit (the cyphertext output) to the actual bits of the output 
of the circuit (the cleartext output). 

20 

Figure 6 illustrates gate g 520, which is a generic gate that computes the 
value bk of an output wire k 604 as a function of the values to,, and bj of input wires / 
606 and j 608, respectively. Such a computation is denoted as bk = g(b,, by). Figure 6 
also illustrates pseudo-random function R 518, which is used to prepare table Tg 
25 522. 

If one assumes initially that the fan-out of every gate is 1 , table Tg contains 
four entries of the form: 

c/, cy: {Wi^ibi, bj)^ Ck) XOR RWiHoj) XOR RwfKCi). 

30 Where 0 < / < 7 < 1 . 

The value Ck is given by Ck = ni^ibk) = itkigibi, by)). The entry does not have to include 
the index C/, Cy since this is implicit in the entry's location. 
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— bi bi 

Assume that A knows c,, Cy and the values Wi ,Wj. In order to compute a 
gate, A finds the entry c,, c, in the table Tg for that gate, and performs an XOR 
(exclusive-OR) operation with the value Rwp'i^j) XOR Rw^i^i) to get the value 

W'':^W,^''''^ and Of 



To code the Input the following is undertaken. Given the table Tg of the gates, 
and the garbled values Wi and c, which correspond to the input wires, it is easy to 
compute the garbled values of the output wires of the circuit. A knows the values of 
the input bits and should obtain the values of the corresponding wires. In step 528. 
for each gate in circuit 506, B sends to A the table Tg 522 that codes the gate. In 
step 530, B sends to A the table To 526 that decrypts the garbled values of the 
output of the circuit the output bits of the circuit. In step 532, for each gate input wire 
in the circuit, A and B engage in an Oblivious Transfer, at the end of which A learns 
the garbled value of the wire's input bit (but nothing about the garbled value of the 
input bit of the other wire into the gate), and B learns nothing. 

A now has enough information to compute the circuit. In step 534, A 
computes the output of the circuit for the input x. However, since A does not know 
the garbled values for any other input bits, A cannot compute information about /(xo) 
for any xq^x (except, of course, information that can be deduced from f{x) alone). 
Note that the communication between the two participants A and B can be done in a 
single back-and-forth round, and B can prepare the circuit in advance, before the 
input is known to A, 

To handle a gate fan-out greater than 1, it is simply required to use a different 
input to the pseudo-random function R at each gate in which the wire is used. (If the 
same value be used in different gates, then it will be possible to cancel the 
application of the pseudo-random function R by an XOR operation, and A could 
thereby learn relationships between garbled values.) Suppose that the fan-out of 
wire / is M, then in a gate m (1 <m<M) which uses wire / as input, the masking 
value that is used should be Rwj^i^h That is, the pseudo-random function R 
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should be applied to the concatenation of Cj and m. Alternatively, it is possible to 
assign each gate a unique identifier /g. and use Rw^i^p ^g)- 



It is also possible to adapt this protocol to circuits in which gates have more 
5 than two inputs, as well as, for wires having more than two possible values. The size 
of the table for a gate with n inputs which each can have d values is d". 

The prior art of REFERENCE 7 (Yao's protocol) is limited to two participants, 
but has been extended has been extended in the prior art to handle multi-party 
inputs, see REFERENCE 3.. These extended protocols, however, require a round of 
communication for each gate in the circuit, which is impractical in many applications, 
such as in auctions. The method of REFERENCE 3 would require extensive 
interactive communication among the bidders in an auction, and is therefore not 
suitable. In contrast, the present invention does not impose the burden of extensive 
interactive communication and does not require the bidders to communicate among 
themselves, and therefore represents an improvement not only over the prior art of 
REFERENCE 7 and 3. Furthennore, the prior art of REFERENCE 3 is secure only 
for limited coalitions of less than one-third of the parties. 

A commitment to a value X is similar to the following process: party B which 
20 knows the value of X writes it on a piece of paper which is put in a sealed envelope. 
At this stage no one can learn anything about X, but B is committed to X and cannot 
change the value in the envelope. At a later stage B can "open the commitment" 
by opening the envelope and revealing X. 



10 



15 



25 More formally, a commitment to a value X is computed by a function 

C=C(X,R), where R is a random string. It has the following properties: (1) C is easy 
to compute. (2) Given C(X,R). it is infeasible to compute any information about X. 
(3) There is an algorithm A such that A(C(X,R),X,R)=1, and for any other X* 
(different than X) and R' it holds with high probability that A(C(X,R),X',R')=0. 

30 Such commitments schemes can be implemented efficiently, see for ex- 
ample REFERENCE 5. 
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Now the details of the implementation of the preferred embodiment will be 
described in conjunction with the flow chart of Figures 4A and 4B. The first stage is 
the announcement- This stage is carried out by the center 421 announcing in step 
401 that it will compute F. Let K be a security parameter. The center constructs in 

5 step 402 K garbled circuits that compute F. For each input wire j of each of the 
circuits the center chooses in step 403 a random pemiutation P.sub.j over the two 
values 0 and 1. The center publishes in step 404 the tables of the gates of the K 
circuits 422. For each input wire j (in each of the circuits) it publishes in step 404 
a commitment to W.sub.j.sup.O and a commitment to W.sub.j.sup.1 , ordered by the 

10 permutation P.sub.j, and a commitment to P.sub.j. 

The next stage is for the parties 420 to commit to their inputs. Each party 
B.sub.i has an input x.sub.i of I bits. The bits of this input are denoted as 
x.sub.(i.l). Each input bit should be input to an input wire in each of the K 
15 circuits. For each wire j of these wires, the center sends in step 405 to B.sub.i. the 
permutation P.sub.j. B.sub.i sends in response in step 406 a commitment 424 to 
P.sub.j(x.sub.(i.l)). i.e. to the permuted value of its input. 

The next stage is to publish the commitments. The center 421 publishes in 
20 step 407 the commitments 424 it received from the parties. 

The next stage is to open the commitments. The parties 420 choose K/2 of 
the K circuits that the center has created and ask the center to open in step 408 all 
the commitments to the permutations and garbled inputs of these K/2 circuits 423. 

25 They verify in step 409 that these circuits indeed compute F. Each of the parties 
B.sub.i sends in step 410 its input x.sub.i to the center. B.sub.i also opens to the 
center the commitments that it made to each of its assigned input wires. These were 
for values 0 or 1 which are the permuted values of B.sub.i's inputs. The center 
verifies in step 411 that these commitments are consistent. The center publishes in 

30 step 412 the opened commitments 425 of each of the parties, and opens the garbled 
values W.sub.j.sup.O or W.sub.j.sup.1 that correspond to them. 

In the next stage, the center computes the function in step 413 and 
publishes the output of each of the K/2 circuits which were not chosen by the 
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parties. 



In the final stage, each party 420 can verify the computations of the center 
421. Each B.sub.i can use the opened garbled values 425 and the tables of the 
5 gates 422 to compute the output of each of the K/2 circuits, and verify in step 414 
that they all have the same output. 

One problem that may be encountered in an auction is that a party does not 
open its commitment. For example, a party might refuse to communicate with the 
10 sender at the step at which the commitments should be open. This type of behavior 
enables cheating, for example, in the case of second price auctions the center itself 
might use fake identities of bidders in order to commit to bids in different values, and 
open only the bids which are smaller than the highest value among all other bids. 
This behavior might increase the amount that the winner would be required to pay. 



One approach for dealing with parties that do not open their commitments 
appropriately would be to require parties to also submit their bids to a trusted third 
party T. The help of the trusted party T is not required, if all parties open their 
commitments. However, when a party refuses to open its commitment, the trusted 

20 party T can be called upon to open it. Such a scheme can be realized, for example, 
by using commitments of the following form; the public key of trusted partyT would 
be known to everyone. A commitment to a value v would be an encryption of this 
value with Ts public key (say with a probabilistic encryption scheme which ensures 
indistinguishability). The party who created this commitment can open it by revealing 

25 V and showing how it encrypted it. If this party refuses to open the commitment then 
trusted party T can open it using its private key. 

A more promising approach is to use 'Timed commitments" [see 
REFERENCE 8]. These are commitment schemes with an optional forced opening 
30 phase enabling the receiver of the commitment to recover (with effort) the committed 
value without the help of the bidder making the commitment (committor). It is 
possible to require the bidders to use timed commitment schemes to commit to their 
bids, enabling the auctioneer to open these commitments, to their original value, if a 
bidder is not willing to open his or her bid. 
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A different approach for ensuring that each party opens its commitments is to 
require parties to back their commitments financially. A party who refuses to open its 
commitment would be required to pay a fine. 

5 
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Although the invention has been shown and described in tenns of specific 
embodiments, nevertheless various changes and modifications will be evident to 
those skilled in the art from the teachings of the invention. Such changes and 
modifications which do not depart from the spirit, scope and contemplation of the 
invention are deemed to fall within the purview of the claims. 
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WHAT IS CLAIMED 



1. 



A method for preserving the integrity of a negotiation comprising the 



15 



20 



25 



steps of: 

providing an architecture which includes a center A. 

and a plurality of users B.sub.1, B.sub.2 B.sub.n, 

generating for each user B.sub.i an input X.sub.i, 
inputting each user's input X.sub.i to the center A. 

computing and publishing a function F(X.sub.1,X.sub.2,...,X.sub.n) by the center 
A based on the input messages it receives, 

e) each user B.sub.i (1<= i<= n) communicating with the center A exclusively, and 

f) publishing by center A additional information which lets each of the users verify 
that F was computed correctly, and preventing a coalition of any one subset of the 
users from learning (i) anything which cannot be computed just from the output 
of the function, F(X.sub.1,...,X.sub.n), and from their own inputs, and (ii) 
information about the inputs of other users. 

2. The method of Claim 1 for computing the output of a sealed bid 
auction, where the users are bidders and the center is the auctioneer, and wherein 
the input X.sub.i is the bid of bidder B.sub.i, and an output of F is the identity of the 
winning bidder and the amount he has to pay. 

3. The method according to any one of claims 1 or 2, for computing 
the output of a sealed bid auction, where the users are bidders and the center is 
the auctioneer, and wherein the input X.sub.i is the bid of bidder B.sub.i, and an 
output of F is the identity of the winning bidder and the amount to be paid, and 
wherein the center only makes disclosure to the winning bidder, while all other 
bidders being able to verify that the auction was computed correctly, but do not learn 
any other information. 

4. The method according to any one of claims 1 , 2 or 3, for first price 
auctions, where the output of F is (B.sub.j, X.sub.j), where X.sub.j is greater or 
equal to any one X.sub.i for 1 <=i <=n. 
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5. Th^Rethod according to any one of claims 1, 2 or 3, for second 
price auctions (Vickrey auctions), wiiere the output of F is (B.sub.jl, X.sub.j2), where 
X.sub.jl is greater or equal to any X.sub.i for 1 <=i <=n, and X.subJ2 is greater or 
equal to any X.sub.i for 1 <=i <=n except for i=j1. 

6. The method according to any one of claims 1 . 2 or 3, for k-th price 
auctions, where the output of F is (B.sub.jl, X.sub.j2). where X.sub.jl is greater or 
equal to any X.sub.i for 1 <=i <=n, and X.sub.j2 is the k-th largest among all inputs 
X.sub.i for 1 <=i <=n. 

7. The method according to any one of the preceding claims wherein 
the auction is a plural auction where there are a plurality of sellers. 



8. The method according to any one of the preceding claims wherein 

15 the auction is a generalized Vickrey auction. 



9. The method according to any one of the preceding claims, 

comprising the step of. computing the auction such that the auctioneer wants to buy 
an item and each of the bidders wants to sell this item, and wherein negative values 
20 of the inputs X.sub.i are possible. 



10. The method according to any one of the preceding claims, 
comprising the step of; computing the output of the auction such that the users learn, 
in addition, some statistic of the inputs, such as. the users can leam at least one of 

25 the average of the inputs, the variance of the inputs, or how many one inputs 
were in a certain range. 

11. The method according to any one of the preceding claims, 
comprising the step of computing the output of the function such that only the center 

30 learns the output of the function, or several of the users learn the output of the 
function, or all the users learn the output of the function. 
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12. The method according to any one of the preceding claims, 

comprising the step of, computing the output of a mechanism, in particular, for 
one of Groves-Clark mechanisms, opinion polling and stable matching. 

5 13. The method according to any one of the preceding claims, 

comprising the steps of each user committing to the values of his input in a manner 
that the user cannot change it aftenA^ards, but hiding the input value from the 
center.. at a specific stage, the users opening their commitments to their inputs and 
revealing their values to the center, which then computes the value of F in a manner 

10 the each of the users can verify that the values that were used as inputs for 
computing F were the values that were committed to by the users. 

14. The method according to any one of the preceding claims, 
comprising the step of implementing automated agents which participate in the 
15 auction which do not disclose to the auctioneer the limit price that they were given, 
until the end of the bidding period. 



15. The method according to any one of the preceding claims, 
comprising the step of computing a function where the center can generate a proof 
20 that it computed the correct output of the function. 



16. The method according to any one of the preceding claims, 
comprising the step of computing a function by N centers, such that only if K of the 
N centers collude they can learn information about the parties' inputs. 

25 

17. In a system that contains N parties, each having a private input and 
a center adapted to compute a function F of said input; apparatus for computing said 
function F in said center, comprising: 

a first program provided in the center that enables calculation of said function 

30 F; 

circuitry for publishing said function F using the program while not revealing 
substantially any information about said input; and 

a second program provided to the parties enabling each one of said parties to 
prove that said function F was calculated correctly. 
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18. In a system according to claim 17, wherein the second program 

precludes the learning of any information other than the function F was calculated 
correctly. 



5 19. In a system according to claim 17, wherein the first program 

includes a construction of K garbled circuits for computing function F. 



20. In a system according to claim 17, wherein said parties are bidders 

in an auction; said input are bids, said center is an auctioneer, said function F is the 
10 rule by which said auction is decided, whereby the auctioneer is capable of 

calculating the result of said auction without revealing any information about said 
bids, except for the identity of the winning party from among said parties, and the 
amount to pay. 



15 21 . In a system according to claim 20, wherein the function is 

determined utilizing a circuit of gates. 



22. In a system according to claim 20, wherein the second program 

includes the capability of utilizing the circuit of gates to independently determine and 
20 verify that the computations of the center are correct. 
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for the purposes of: 1 1 States | jthe United States of America l/» 1 of America only | | the Supplemental Box 


Name and address: (Family name followed by given name; for a legal entity, full official 
designation. The address must include postal code and name of counoy. The country of the 
address indicated in this Box is the applicant 's State (that is, country) q/ residence if no State 
of residence is indicated below.) 


This person is: 

1 1 applicant only 

1 I applicant and inventor 

1 1 inventor only (If this check-box 
' ' is marked, do not fill in below.) 


State (thai is, country) of nationality: 


State (that is, country) of residence: 


This person is applicant | 1 all designated \~~] all designated States except | 1 the United States [ 1 the States indicated in 

for the purposes of: 1 I States | | the United States of America | | of America only | | the Supplemental Box 


Name and address: (Family name followed by given name; for a legal entity. Jull official 
designation. The address must include postal code and name of counBy. The country of the 
address indicated in this Box is the applicant 's State (that is, country) of residence if no State 
of residence is indicated below.) 


This person is: 

1 1 applicant only 

1 I applicant and inventor 

I 1 inventor only (If this check-box 
is marked, do not fill in below.) 


State (that is, country) of nationality: 


State (that is, country) of residence: 


This person is applicant | 1 all designated 1 1 all designated States except p~| the United States 1 1 the States indicated in 

for the purposes of: 1 i States | | the United States of America | | of America only | | the Supplemental Box 


1 1 Further applicants and/or (further) inventors are indicated on another continuation sheet. 
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Box No.V 



DESIGNATION OF STATES 



The following designations are hereby made under Rule 4.9(a) (mark the applicable check-boxes: a! least one must be marked): . 
Regional Patient 

□ AP ARIPO Patent: 0&Hna,GM Gambia, KE Kenya, LS Lesotho, MW Malawi, MZ Mozambique, SESudan, SL Sierra Leone, 

S2 Swaziland, T2 United Republic of Tanzania, UG Uganda, ZW Zimbabwe, and any other State which is a Contracting State 
of the Harare Protocol and of the PCT 

□ EA Eurasian Patent ArmAfrla, A2 Azerbaijan, BY Belarus, KG Kyrgyzstan, KZ Kazakhstan, MD Republic of Moldova, 

RU Russian Federation, TJ Tajikistan, TM Turkmenistan, and any other State which is a Contracting State of the Eurasian Patent 
Convention and of the PCT 

0 EP European Patent : AiMHa, BE Belgium, CH and LSwitzerland and Liechtenstein, CY Cyprus, DE Germany, 
DK Denmark, ESSpain, FlFinland, F Iterance, GB United Kingdom, GR Greece, IE Ireland, IT Italy, LU Luxembourg, 
MC Monaco, NL Netherlands, PT Portugal, SE Sweden, and any other State which is a Contracting State or the European Patent 
Convention and of the PCT 

□ OA OAPI Patent : ffitfkina Faso, BJ Benin, CF Central African Republic, CG Congo, CI Cote d'lvoire, CM Cameroon, 

GA Gabon, GN Guinea, GW Guinea-Bissau, ML Mali, MR Mauritania, NE Niger, SN Senegal, TD Chad, TG Togo, and any 
other State which is a member State of OAPI and a Contracting State of the PCT (if other kind of protection or treatment desirea, 

specify on dotted line) 

National Pa t(^xstJjer kind of protection or treatment desired, specif on dotted line): 

□ AE United Arab Emirates q Saint Lucia 



□ AG 

□ AL 

□ AM 

□ AT 

□ AU 

□ A2 

□ BA 

□ BB 

□ BG 

□ BR 

□ BY 

□ B2 
0 CA 

□ CH 

□ CN 

□ CR 

□ CU 

□ CZ 

□ DE 

□ DK 

□ DM 

□ DZ 

□ EE 

□ ES 

□ FI 

□ GB 

□ GD 

□ GE 

□ GH 

□ GM 

□ HR 

□ HU 

□ ID 
ED IL 

□ IN 

□ IS 
0 JP 

□ KE 

□ KG 

□ KP 

□ KR 

□ KZ 



Antigua and Barbuda Q lk 

Albania □ Lr 

Armenia □ LS 

Austria □ LT 

Australia Q LU 

Azerbaijan □ Lv 

Bosnia and Herzegovina □ MA 

Barbados □ MD 

Bulgaria □ MG 

Bt^il □ MK 

Belarus □ MN 

Belize □ mw 

Canada Q mx 

and LSwitzerland and Liechtenstein Q mz 

China □ NO 

Costa Rica □ NZ 

Cuba □ PL 

Czech Republic [U PT 

Germany □ RO 

Denmark Q RU 

Dominica Q SD 

Algeria □ SE 

Estonia □ SG 

Spain □ SI 

Finland □ SK 

United Kingdom Q SL 

Grenada □ TJ 

Georgia □ TM 

Ghana □ TR 

Gambia □ TT 

Croatia □ TZ 

Hungary D UA 



Indonesia 
Israel . . . 
India . . . , 
Iceland 
Japan . . , 
Kenya , 



□ UG 

IZI us 

□ uz 

□ w 

□ YU 

□ ZA 



Sri Lanka 
Liberia 

Lesotho 

Lithuania 

Luxembourg 

Latvia 

Morocco 

Republic of Moldova 

Madagascar 

The former Yugoslav Republic of Macedonia , 
Mongolia 

Malawi 

Mexico 

Mozambique 
Norway 

New Zealand 

Poland 

Portugal 

Romania 

Russian Federation 

Sudan 

Sweden 

Singapore 

Slovenia 

Slovakia 

Sierra Leone 

Tajikistan 

Turkmenistan 

Turkey 

Trinidad and Tobago 

United Republic of Tanzania 

Ukraine 

Uganda 

United States of America 

Uzbekistan 

Viet Nam 

Yugoslavia 

South Africa 

Zimbabwe 



Kyrgyzstan DzW 

Democratic People's Republic of Korea Check-box reserved for designating States which have become 

Republic of Korea party to the PCT after issuance of this sheet: 

Kazakhstan CH 



Precaut i onary Des igna t ion S tfaitEaHkrota to the designations made above, the applicant also makes under Rule 4.9(b) all other 
designations which would be permitted under the PCT except any dcsignation(s) indicated in the Supplemental Box as being excluded 
from the scope of this statement. The applicant declares that those additional designations are subject to confirmation and that any 
designation which is not confirmed before the expiration of 1 5 months from the priority date is to be regarded as withdrawn by the applicant 
at the expiration of that time limit. (Confirmation (includingfees) must reach the receiving Office within the 15-month time limit) 
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Sheet No. 4 



Supplemental Box If the Supplemental Box is not used, this sheet should not be included in the request. 



J. If. in any of the Boxes, the space is insufficient to furnish all the information: in such case, write "Continuation of Box No. ..." 
[indicate the number of the Box] and furnish the information in the same manner as required according to the captions of the Box in which 
the space was insufficient, in particular: 

(i) if more than two persons are involved as applicants and/or inventors and no "continuation sheet " is available: in such case, write 
'Continuation of Box No. Ill " and indicatefor each additional person the same type of information as required in Box No. III. The 
country of the address indicated in this Box is the applicant 's State (that is, country) of residence if no State of residenceis indicated 
below: 

( it) if in Box No. II or in any ofth e sub' boxes of Box No. Ill, the indication "th e States in dicated in th e Supplemen tal Box " is checke d: 
in such case, write "Continuation of Box No. 11" or "Continuation of Box No. Ill" or "Continuation of Boxes No. II and No. Ill" 
(as the case may be), indicate the name of the apnlicant(s) involved and, next to (each) such name, the State (s) (and/or, where 
applicable, ARlPO, Eurasian, European or OAPl patent) for the purposes of which the named person is applicant; 

(Hi) if. in Box No. II or in any of the sub-boxes of Box No. Ill, the inventor or the inventor/applicant is not inventor for the purposes 
of all designated States or for the purposes of the United States of America in such case, write "Continuation of Box No. II " or 
' Continuation of Box No. Ill" or "(Continuation of Boxes No. II and No. Ill" (as the case may be), indicate the name of the 
inventor(s) and, next to (each) such name, the State(s) (and/or, where applicable, ARJPO, Eurasian, European or OAPI patent) fo- 
the purposes of which the named person is inventor; 

(iv) if in addition to the agent(s) indicated in Box No. IV, there are further agents: in such case, write "Continuation of Box No. IV" 
and indicate for each further agent the same type of information as required in Box No. IV; 

(v) if, in Box No. V, the name of any State (or OAPI) is accompanied by the indication "patent of addition, " or "certificate of addition, ' ' 
or if, in Box No. V, the name of the United States of America is accompanied by an indication "continuation ' or "continuation- 
in-part ": in such case, write 'Continuation of Box No. V" and the name of each State involved (or OAPI), and after the name of 
each such State (or OAPI), the number of the parent title or parent application and the date of grant of the parent title orfiling 
of the parent application; 

(vi) if, in Box No. VI, there are more than three earlier applications whose priority is claimed in such case, write "Continuation of 
Box No. VI " and indicate for each additional earlier application the same type of information as required in Box No. 17; 

(vii) if in Box No. 17, the earlier application is an ARIPO application- in such case, write "Continuation ofBoxNo. Vl", specify the 
number of the item corresponding to that earlier application and indicate at least one country party to the Paris Convention far 
the Protection of Industrial Property or one Member of the World Trade Organization for which that earlier application was filed. 

2. If with regard to the precautionary designation siatemeni contained in Box No. V, the applicant wishes to exclude any State(s) from 
the scope of mat statement: in such case, write " Designation (s) excluded from precautionary designation statement" and indicaH the 
name or twO'letter code of each State so excluded. 

3. If the applicant cla ims, in respect of any designated OJjfice, the benefits of provisions ofthena tion al law con cemingn on -preju dicial 
disclosures or exceptions to lack of novelty: in such case, write "Statement concerning non-prejudicial disclosures or exceptions to lack 
of novelty " and furnish that statement below. 

CONTINUATION OF BOXES NO. II AND NO. Ill 
FLEIT, LOIS : OA 

YEDA RESEARCH AND DEVELOPMENT CO. LTD. : EP, IL, JP AND US 



CONTINUATION OF BOX IV 

KAIN, ROBERT C; GIBBONS, JON A.; GUTMAN, JOSE; BONGINI, STEPHEN C THE ADDRESS 
OF THE MENTIONED AGENTS IS THE SAME AS THAT LISTED IN BOX IV. 
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Box No. VI PRIORITY CLAIM 



I I Further priority claims are indicated in the Supplemental Box. 



Filing date 
of earlier application 
(day/m on th/year) 



Number 
of earlier application 



Where earlier application is: 



national application: 
country 



regional application:* 
regional Office 



international application: 
receiving Office 



item (1) 



10/08/99 



60/148.183 



US 



item (2) 



item (3) 



r7] The receiving Office is requested to prepare and transmit to the International Bureau a certified copy 
— of the earlier application(s) (only if the earlier application was filed with the Office which for the 

purposes of the present international application is the receiving Office) identified above as itcm(s): 

♦ Where the earlier application is an ARIPO application, it is mandatory to indicate in the Supplemental Box at least one country party to the Paris 
Convention for the Protection of Industrial Property for which that earlier application was filed (Rule 4.10(b)(ii)). See Supplemental Box. 



Boi No. VII INTERNATIONAL SEARCHING AUTHORITY 



Choice of International Searching Authoiity (ISA) 

(if two or more International Searching Authorities are 
competent to carty out the international search, indicate 
the Authority chosen; the two-letter code may be used) : 

ISA/ EP 



Request to use results of earlier search; reference to that search (if an earlier 
search has been carried out by or requested from the International Searching Authority): 



Date (day/month/year) 



Number 



Country (or regional Office) 



Box No. Vni CHECK LIST; LANGUAGE OF FILING 



This international application contains 
the following number of sheets: 



request 


5 


description (excluding 


: 16 


sequence listing part) 


claims 


: 4 


abstract 


: 1 


drawings 


: 6 



sequence listing part 
of description 



Total number of sheets : 32 



This international application is accompanied by the item(s) marked below: 

1. Q fee calculation sheet 

2. □ separate signed power of attorney 

3- □ copy of general power of attorney; reference number, if any: 

4. Q statement explaining lack of signature 

5. □ priority documcnt(s) identified in Box No. VI as item(s): 
6- Q translation of international application into (language): 

7. □ separate indications concerning deposited microorganism or other biological material 

8. □ nucleotide and/or amino acid sequence listing in computer readable form 

9. □ other (specify): TRANSMITTAL 



Figure of the drawings which 

should accompany the abstract: FIG. 2 


Language of filing of the 

international application: ciNVjUlon 


Box No. IX SIGNATURE OF APPLICANT OR AGENT 



Next to each signature, indicate the name of the person signing and the capacity in which the person signs (if such capacity is not obvious from reading the request). 



MARTIN FLEIT. REG. NO. 16,900 



For receiving Office use only ^ 



1 . Date of actual receipt of the purported 
international application: 



Corrected date of actual receipt due to later but 
timely received papers or drawings completing 
the purported international application: 



4. Date of timely receipt of the required 
corrections under PCT Article 1 1(2): 



5. International Searching Authority tq a / 
(if two or more are competent): iOi\ / 



□ 



Transmittal of search copy delayed 
until search fee is paid. 



2. Drawings: 
I I received: 

I I not received: 



For International Bureau use only . 



Date of receipt of the record copy 
by the International Bureau: 



See Notes to the request form 
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